This invention relates to the field of computer systems. More particularly, a system and methods are provided for intelligently shifting or sharing the load of proxy duties in a networked computing environment.
In today's electronic society, organizations often separate their internal computer networks (e.g., Local Area Networks or LANs) from outside computing systems and networks (e.g., the Internet) by positioning a firewall between their internal network and the external systems and networks. Firewalls typically incorporate hardware and software elements to prevent an outside user from gaining unfettered access to internal assets and may also be configured to limit the activities of internal users when communicating with an external entity through the firewall. For example, a firewall may mask or alter outgoing communications to prevent an outsider from learning details of the internal computing environment. Further, a firewall may be configured to apply a set of rules (e.g., established by the organization's system or network administrator) to allow or disallow particular communications from passing through the firewall from one side to the other. Thus, firewalls are positioned astride what may be the only connection (or only full-time connection) between the internal network and external systems.
A firewall may incorporate one or more proxies or proxy modules to handle particular functions or particular types of traffic received by the firewall. In particular, proxies are often employed on a firewall to accept connections from internal users and establish connections with external entities on behalf of the users without revealing details or information concerning the users or the internal network and computer nodes.
In addition to representing a user to the outside world, a proxy may be configured to perform various other functions to enhance the security of the internal network and/or prevent unwanted or undesirable communications from being received. The more functionality or duties assigned to a proxy, however, the more overhead that is added to its operation. As a result the performance of a proxy and, by extension, the firewall, may be degraded.
A firewall may have several proxies installed and enabled for a variety of purposes. A first proxy, for example, may be enabled for FTP (File Transfer Protocol) traffic passing through the firewall to scan transferred files for viruses.
Another proxy may be configured to examine all HTTP (HyperText Transport Protocol) traffic through the firewall in order to allow certain actions or commands (e.g., web surfing) and disallow others (e.g., disallow downloading of ActiveX controls).
When a message, communication or packet reflecting one of these protocols is received by the firewall, it is forwarded to the appropriate proxy. The proxy must then parse and examine the communication to determine if it is allowed to continue. The proxy thus applies a set of rules, criteria or parameters for each communication it receives. This may have a significant effect on the firewall's throughput. If, for example, a proxy scans every communication (e.g., for viruses or unwanted data such as pornography), communications may be slowed considerably.
Thus, what is needed is a system and method of applying the security features offered by a proxy but with little or no degradation to the operation of an organization's firewall and internal network. In particular, a firewall's overall performance may be enhanced by off-loading some of a proxy's duties (e.g., scanning for viruses or other content) for certain communications destined for trusted network nodes.